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Abstract — We present a refinement of the Calculus of Inductive 
Constructions in which one can easily define a notion of relational 
parametricity. It provides a new way to automate proofs in an 
interactive theorem prover like Coq. 

I. Introduction 

The Calculus of Inductive Constructions (CIC in short) 
extends the Calculus of Constructions with inductively defined 
types. It is the underlying formal language of the Coq inter- 
active theorem prover Q]. 

In the original presentation, CIC had three kinds of sorts: the 
impredicative sort of propositions Prop, the impredicative sort 
of basic informative types Set, and the hierarchy of universes 
Type , Type^ ...This presentation was not compatible with 
the possibility to add axioms in the system, since it could lead 
to inconsistencies Q. Nowadays, there is no impredicative sort 
of basic informative types, and Set represents Type . 

This does not fit well with one of the major original ideas 
about CIC: the possibility to perform program extraction. 
Indeed, since the current version of CIC does not separate 
informative types from non-informative types, extraction needs 
to normalize its type to guess whether it should be erased or 
not, and this makes it very uneasy to prove correct J3). 

In this paper, we propose a refinement of CIC which 
reconciles extraction with the possibility to add axioms to the 
system: CIC re f, the Refined Calculus of Inductive Construc- 
tions. The idea is to split the (TypeJjgN hierarchy into two 
hierarchies (Seti)i £ N and (TypeJigN*, one for informative 
types and one for types without computational content. 

This calculus allows us to extend the presentation of para- 
metricity for Pure Types Systems introduced by Bernardy et 
al. B] to the Calculus of Inductive Constructions. Parametric- 
ity is a concept introduced by Reynolds (5] to study the type 
abstraction of system F, and the abstraction theorem expresses 
the fact that polymorphic programs map related arguments to 
related results. In CIC re f, we can define a notion of relational 
parametricity in which the relations' codomains is the Prop 
sort of propositions. 

II. CIC REF : the Refined Calculus of Inductive 
Constructions 

The Refined Calculus of Inductive Constructions is a refine- 
ment of CIC where terms are generated by the same grammar 



as CIC: 

A,B,P,Q,F 
\ (AB) | I c 



= x | s | Vx : A.B | Ax : A.B 
3ej(A, <if,P,^) | c | tix{x:A).B 



where s ranges over the set {Prop} U {Set^, Type ?;+1 \i € N} 
of sorts and x ranges over the set of variables. We write 

to state that / is a well-formed induc- 
tive definition typed with p parameters, of arity A, with k 
constructors c%, . . . , of respective types C\, . . . , Cfe. 

A context T is a list of pairs x : A and the typing rules 
are the rules of CIC (one can refer to 0") for the complete 
set of rules), except to type sorts and dependent products. As 
for CIC, typing fixpoints (for fix) and elimination rules (for 
case) is subject to restrictions to ensure coherence. We present 
only the rules which are specific to our type system. Here are 
the three typing rules to type sorts: 

h Prop : Type 1 h Set, : Type l+1 h Type !: : Type- +1 

The following three typing rules tell which products are 
authorized in the system. The level of the product is the 
maximum level of the domain and the codomain: 
ThA-.r, T,x:AhB: Sl 

■ (r,s) e {Type, Set} 



r h Vx : A.B : s max ^j) 

Quantifying over propositions does not rise the level of the 
product: 

r h A : Prop r, h : A h B : s t 
rhyh . AB:Si s e {Type, Set} 

And the sort Prop is impredicative, it means that products 
in Prop may be built by quantifying over objects whose types 
inhabit any sort: 

T\-A:s r,.x : A h B : Prop 
r - ^ ■ A - ■ prop s e {Type, Set, Prop} 

Finally, as in CIC, the system comes with subtyping rules 
based on the following inclusion of sorts (where i < j): 
Prop <: Seti Set; <: Setj Type,; <: Type^ 

One should note that CIC re f easily embeds into CIC by 
mapping any Set; and Type^ onto the Type^ of CIC. The 
coherence of CIC thus implies the coherence of CIC re f ■ 

III. Parametricity 
We can define a notion of relational parametricity for CIC re f. 



9/(Q ,T,F )=X(x:A){x , :A'){x R :lA}xx') (a : IQ ^ n )(a':IQ' x' )(a R : [J] Q Q' ' [Q] n'i fi a a'). 
[r]u'iji a a' a ji (case i (a, Q ,T, F )) (case/ (a , Q ,T ,F )) 

Fig. 1. Relation parametricity for inductive types 



Definition 1 (Parametricity relation). For any inductive 

we define a fresh inductive symbol \I\ 
and a family (fcj])j = i...fc of fresh constructor names. 

The parametricity translation [•] is defined by induction on 
the structure of terms and contexts: 

101 = 

[r, x : A] = pi, x : A, x' : A', x R : [A] x x' 
\s\ = \(x : s)(x' : s).x — y x — > s 

H = XR 

\4x:A.B\ =X(f : Vz : A.B)(f : W : A'.B'). 

V(x : A)(x' : A')(x R : \A\xx'). 
IB} (fx) (fx') 
IXx : A.B\ =X(x : A)(x' : A')(x R : \A\xx').\B\ 
l(AB)l=(lA\BB' \B\) 
[f ix(s : A).B\ = (f ±x(x R : [A] xx'UB}) 

[t±x(x : A).B/x][f±x(x' : A').B'/x'} 

— Vp — ; >P 

[cas ej (A/,Q ,T,P )] = case [/ j(IM],Q,Q',[Q] , 

e,(Q ,t,P )M ) 

where Prop = Set.; = Prop and Type, = Type^ and where A' 
denotes the term A in which we have replaced each variable 
x by a fresh variable x'. The definition of 0/ is in Fig. [T] 

What is new with respect to previous works is the fact 
that relations over objects of type Prop or Set^ have their 
codomain in Prop instead of higher universes. We also for- 
mally define parametricity for inductive types. 

Unfortunately, in order to prove the abstraction theorem 
below, we need to restrict the strong elimination: we have 
to disallow the case destructions used to build objects whose 
types are of sort Type when the destructed inductive definition 
is not small {small inductive definitions are inductive defini- 
tions which constructors only have arguments of type Prop or 
Set, see (6)). We write h» for the derivability where strong 
elimination is authorized only over small inductive definitions. 

Theorem 1 (Abstraction theorem). IfT \-* A: B then |T] K 
A : B, m K A' : B', and [r] K {A] : \B\AA'. 

IV. Applications 

A lot of so-called "free theorems" are consequences of the 
abstraction theorem and our framework is expressive enough 
to implement most examples that can be found in the literature 
(see for instance |4), (TJ). 

Here we propose a new example inspired by Francois 
Garillot's thesis J8), in which he remarks that polymorphic 



functions operating on groups can only compose elements 
using the laws given by the group's structure, and thus cannot 
create new elements. 

In our system, we may actually use parametricity theory to 
translate this uniformity property. We take an arbitrary group 
structure H defined by its carrier a : Seto, a unit element, a 
composition law, an inverse and the standard axioms stating 
that H is a group. We define fingrp the type of all the 
finite subgroups of H consisting of a list plus stability axioms. 
Now consider any term Z : fingrp — > fingrp (examples of 
such terms abound: e.g. the center, the normalizer, the derived 
subgroup. . . ). The abstraction theorem states that for any 
R : a — > a — > Prop compatible with the laws of H. and for any 
GG' : fingrp, [f ingrp] fl GG' -> [fingrp] fl (Z G) (Z G') 
where [fingrp] R is the relation on subgroups induced by R. 
Given this, we can prove the following properties: 

« for any G, Z G c G (if we take R : xy i-» x e G); 

* for any G, for any <f> a morphism of H, <f)(Z G) = Z 4>(G) 
(if we take R : x y n> y = <fi(x)). It entails that Z G is a 
characteristic subgroup of R. 

For a complete Coq formalization of this, please refer to 
the online source code J5)- 

V. Conclusion 

The system presented here allows to distinguish clearly via 
typing which expressions will be computationally meaningful 
after extraction. It allows us to define a notion of parametricity 
for which relations lie in the sort of propositions. We set 
here the theoretical foundation for an implementation of a 
Coq tactic that constructs proof terms by parametricity. A first 
prototype of such a tactic can be found online J5)- 
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